Traditionally, personal computing hardware and software systems followed a model where users explicitly made trust decisions about software installed and run on computer hardware. For instance, a user could install software by inserting a compact disk (CD) or other computer readable medium into his or her computer system. The user was responsible for the safety of the installed software, and for making decisions that the installed software did not contain malicious code, such as computer viruses, spyware, or other malicious software (malware).
This traditional trust model for software applications may not apply when software applications are delivered to computers via the Internet or the World Wide Web via, for example, a web browser. As an application platform, the modern web browser brings together a remarkable combination of resources, including seamless access to Internet resources, including access to a wide variety of application software. For example, web browser extensions and web applications may be written using the same standard web technology that developers use to create web pages. This is beneficial because it allows developers to create content without having to be concerned with compatibility with the entire World Wide Web, such as presentation differences between different types of web pages. Yet, this potentially means that a web application or browser extension is vulnerable to standard classes of bugs. For example, a developer can write code that tries to extract content from one web page and display the content in a browser extension page. If the developer writes that code improperly, the developer might give an author of a web page (i.e., the web page that they are getting data from) the ability to run code inside of the developer's extensions. This is sometimes called a cross-site scripting attack. With browser extensions, cross-site scripting attacks may prove especially dangerous because browser extensions may have more power than a normal web page does. If someone can get access into a browser extension, then they can do the things that an extension can do, potentially creating security problems.